policy

package
v10.358.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2021 License: Apache-2.0 Imports: 15 Imported by: 11

Documentation

Overview

Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.

Index

Constants

View Source
const (
	// AllowAll allows everything for the specific PU.
	AllowAll = 0x1
	// Police filters on the PU based on the PolicyRules.
	Police = 0x2
)
View Source
const (
	TagKeyController = "$controller"
	TagKeyID         = "$id"
	TagKeyIdentity   = "$identity"

	TagValueProcessingUnit = "processingunit"
)

Aporeto tag key and value constants

View Source
const (
	// Equal is the equal operator
	Equal = "="
	// NotEqual is the not equal operator
	NotEqual = "=!"
	// KeyExists is the key=* operator
	KeyExists = "*"
	// KeyNotExists means that the key doesnt exist in the incoming tags
	KeyNotExists = "!*"
)
View Source
const (
	ErrExcludedNetworks  = "excludednetworks"
	ErrTargetTCPNetworks = "targettcpnetworks"
)

Ping Errors.

View Source
const (
	// DefaultNamespace is the default namespace for applying policy
	DefaultNamespace = "bridge"
)

Variables

This section is empty.

Functions

func DefaultAction

func DefaultAction(action ActionType) string

DefaultAction generates the default action of the rule

func DefaultDropPacketLogPrefix

func DefaultDropPacketLogPrefix(contextID string) string

DefaultDropPacketLogPrefix generates the nflog prefix for packets logged by the catch all default rule

func DefaultLogPrefix

func DefaultLogPrefix(contextID string, action ActionType) string

DefaultLogPrefix return the prefix used in nf-log action for default rule.

func EncodedStringToAction

func EncodedStringToAction(e string) (ActionType, ObserveActionType, error)

EncodedStringToAction returns action and observed action from encoded string.

func ErrPUAlreadyActivated

func ErrPUAlreadyActivated(puID string, err error) error

ErrPUAlreadyActivated creates a new PU already activated error

func ErrPUCreateFailed

func ErrPUCreateFailed(puID string, err error) error

ErrPUCreateFailed creates a new PU create failed error

func ErrPUNotFound

func ErrPUNotFound(puID string, err error) error

ErrPUNotFound creates a new context not found error

func ErrPUNotUnique

func ErrPUNotUnique(puID string, err error) error

ErrPUNotUnique creates a new not unique error

func ErrPUPolicyEnforcementFailed

func ErrPUPolicyEnforcementFailed(puID string, err error) error

ErrPUPolicyEnforcementFailed creates a new PU policy pending error.

func ErrPUPolicyPending

func ErrPUPolicyPending(puID string, err error) error

ErrPUPolicyPending creates a new PU policy pending error.

func Fnv32Hash

func Fnv32Hash(data ...string) (string, error)

Fnv32Hash hash the given data by Fnv32-bit algorithm.

func IsErrPUAlreadyActivated

func IsErrPUAlreadyActivated(err error) bool

IsErrPUAlreadyActivated checks if this error is a PU already activated error

func IsErrPUCreateFailed

func IsErrPUCreateFailed(err error) bool

IsErrPUCreateFailed checks if this error is a PU not unique error

func IsErrPUEnforcementFailed

func IsErrPUEnforcementFailed(err error) bool

IsErrPUEnforcementFailed checks if this error is a PU policy pending error.

func IsErrPUNotFound

func IsErrPUNotFound(err error) bool

IsErrPUNotFound checks if this error is a PU not found error

func IsErrPUNotUnique

func IsErrPUNotUnique(err error) bool

IsErrPUNotUnique checks if this error is a PU not unique error

func IsErrPUPolicyPending

func IsErrPUPolicyPending(err error) bool

IsErrPUPolicyPending checks if this error is a PU policy pending error.

Types

type ActionType added in v1.0.24

type ActionType byte

ActionType is the action that can be applied to a flow.

const (
	// Accept is the accept action
	Accept ActionType = 0x1
	// Reject is the reject  action
	Reject ActionType = 0x2
	// Encrypt instructs data to be encrypted
	Encrypt ActionType = 0x4
	// Log instructs the datapath to log the IP addresses
	Log ActionType = 0x8
	// Observe instructs the datapath to observe policy results
	Observe ActionType = 0x10
)

func (ActionType) Accepted added in v1.0.24

func (f ActionType) Accepted() bool

Accepted returns if the action mask contains the Accepted mask.

func (ActionType) ActionString added in v1.0.24

func (f ActionType) ActionString() string

ActionString returns if the action if accepted of rejected as a long string.

func (ActionType) Encrypted added in v1.0.24

func (f ActionType) Encrypted() bool

Encrypted returns if the action mask contains the Encrypted mask.

func (ActionType) Logged added in v1.0.24

func (f ActionType) Logged() bool

Logged returns if the action mask contains the Logged mask.

func (ActionType) Observed

func (f ActionType) Observed() bool

Observed returns if the action mask contains the Observed mask.

func (ActionType) Rejected added in v1.0.24

func (f ActionType) Rejected() bool

Rejected returns if the action mask contains the Rejected mask.

func (ActionType) String added in v1.0.24

func (f ActionType) String() string

type ApplicationService

type ApplicationService struct {
	// ID is the id of the service
	ID string

	// NetworkInfo provides the network information (addresses/ports) of the service.
	// This is the public facing network information, or how the service can be
	// accessed. In the case of Load Balancers for example, this would be the
	// IP/port of the load balancer.
	NetworkInfo *common.Service

	// PrivateNetworkInfo captures the network service definition of an application
	// as seen by the application. For example the port that the application is
	// listening to. This is needed in the case of port mappings.
	PrivateNetworkInfo *common.Service

	// PrivateTLSListener indicates that the service uses a TLS listener. As a
	// result we must TLS for traffic send locally in the service.
	PrivateTLSListener bool

	// NoTLSExternalService indicates that TLS should not be used for an external
	// service. This option is used for API calls to local metadata APIs and
	// should not be used for access to the Internet.
	NoTLSExternalService bool

	// PublicNetworkInfo provides the network information where the enforcer
	// should listen for incoming connections of the service. This can be
	// different than the PrivateNetworkInfo where the application is listening
	// and it essentially allows users to create Virtual IPs and Virtual Ports
	// for the new exposed TLS services. So, if an application is listening
	// on port 80, users do not need to access the application from external
	// network through TLS on port 80, that looks weird. They can instead create
	// a PublicNetworkInfo and have the trireme listen on port 443, while the
	// application is still listening on port 80.
	PublicNetworkInfo *common.Service

	// Type is the type of the service.
	Type ServiceType

	// HTTPRules are only valid for HTTP Services and capture the list of APIs
	// exposed by the service.
	HTTPRules []*HTTPRule

	// Tags are the tags of the service.
	Tags []string

	// FallbackJWTAuthorizationCert is the certificate that has been used to sign
	// JWTs if they are not signed by the datapath
	FallbackJWTAuthorizationCert string

	// UserAuthorizationType is the type of user authorization that must be used.
	UserAuthorizationType UserAuthorizationTypeValues

	// UserAuthorizationHandler is the token handler for validating user tokens.
	UserAuthorizationHandler usertokens.Verifier

	// UserTokenToHTTPMappings is a map of mappings between JWT claims arriving in
	// a user request and outgoing HTTP headers towards an application. It
	// is used to allow operators to map claims to HTTP headers that downstream
	// applications can understand.
	UserTokenToHTTPMappings map[string]string

	// UserRedirectOnAuthorizationFail is the URL that the user can be redirected
	// if there is an authorization failure. This allows the display of a custom
	// message.
	UserRedirectOnAuthorizationFail string

	// External indicates if this is an external service. For external services
	// access control is implemented at the ingress.
	External bool

	// CACert is the certificate of the CA of external services. This allows TLS to
	// work with external services that use private CAs.
	CACert []byte

	// AuthToken is the authentication token for any external API service calls. It is
	// used for example by the secrets proxy.
	AuthToken string

	// MutualTLSTrustedRoots is the CA that must be used for mutual TLS authentication.
	MutualTLSTrustedRoots []byte

	// PublicServiceCertificate is a publically signed certificate that can be used
	// by the service to expose TLS to users without a Trireme client
	PublicServiceCertificate []byte

	// PublicServiceCertificateKey is the corresponding private key.
	PublicServiceCertificateKey []byte

	// PublicServiceTLSType specifies TLS Type to support on PublicService port.
	// This is useful for health checks. It should not be used for API access.
	PublicServiceTLSType ServiceTLSType
}

ApplicationService is the type of service that this PU exposes.

func (*ApplicationService) PrivatePort

func (a *ApplicationService) PrivatePort() int

PrivatePort returns the min port in the spec for the private listening port.

func (*ApplicationService) PublicPort

func (a *ApplicationService) PublicPort() int

PublicPort returns the min port in the spec for the publicly exposed port.

type ApplicationServicesList

type ApplicationServicesList []*ApplicationService

ApplicationServicesList is a list of ApplicationServices.

type DNSRuleList

type DNSRuleList map[string][]PortProtocolPolicy

DNSRuleList is a map from fqdns to a list of policies.

func (DNSRuleList) Copy

func (l DNSRuleList) Copy() DNSRuleList

Copy creates a clone of DNS rule list

type DebugConfig

type DebugConfig struct {
	DebugConfigInput
	DebugConfigResult
}

DebugConfig holds information needed for a single debug collect operation.

type DebugConfigInput

type DebugConfigInput struct {
	DebugType   gaia.EnforcerRefreshDebugValue
	NativeID    string
	FilePath    string
	PcapFilter  string
	CommandExec string
}

DebugConfigInput holds information needed to start a debug collect.

type DebugConfigMulti

type DebugConfigMulti struct {
	DebugConfigInput
	Results map[string]*DebugConfigResult
}

DebugConfigMulti holds information needed for a debug collect operation on all remote enforcers.

type DebugConfigResult

type DebugConfigResult struct {
	PID           int
	CommandOutput string
}

DebugConfigResult holds results from a debug collect.

type EnforcerType

type EnforcerType int

EnforcerType defines which enforcer type should be selected

const (
	// EnforcerMapping lets the default enforcer configuration deal with it
	EnforcerMapping EnforcerType = iota
	// EnvoyAuthorizerEnforcer specifically asks for running an envoy enforcer/authorizer
	EnvoyAuthorizerEnforcer
)

func EnforcerTypeFromString

func EnforcerTypeFromString(str string) (EnforcerType, error)

EnforcerTypeFromString parses `str` and tries to convert it to

func (EnforcerType) String

func (t EnforcerType) String() string

String implements the string interface

type Error

type Error struct {
	// contains filtered or unexported fields
}

Error is a specific error type for context

func (*Error) Error

func (e *Error) Error() string

type ErrorReason

type ErrorReason string

ErrorReason is the reason for an error

const (
	// PUNotFound error reason
	PUNotFound ErrorReason = "PUNotFound"

	// PUNotUnique error reason
	PUNotUnique ErrorReason = "PUNotUnique"

	// PUCreateFailed error reason
	PUCreateFailed ErrorReason = "PUCreateFailed"

	// PUAlreadyActivated error reason
	PUAlreadyActivated ErrorReason = "PUAlreadyActivated"

	// PUPolicyPending error reason indicates that policy activation is pending.
	PUPolicyPending ErrorReason = "PUPolicyPending"

	// PUPolicyEnforcementFailed error reason indicates that enforcement failed.
	PUPolicyEnforcementFailed
)

type ExtendedMap added in v1.0.10

type ExtendedMap map[string]string

ExtendedMap is a common map with additional functions

func (ExtendedMap) Copy added in v1.0.10

func (s ExtendedMap) Copy() ExtendedMap

Copy copies an ExtendedMap

func (ExtendedMap) Get added in v1.0.10

func (s ExtendedMap) Get(key string) (string, bool)

Get does a lookup in the map

type FlowPolicy added in v1.0.24

type FlowPolicy struct {
	ObserveAction   ObserveActionType
	Action          ActionType
	ServiceID       string
	PolicyID        string
	RuleName        string
	Labels          []string
	ServicePriority uint32 // A hash of the ServiceID
	Priority        uint32 // Priority based on the ExternalNetwork entries
}

FlowPolicy captures the policy for a particular flow

func (*FlowPolicy) Clone

func (f *FlowPolicy) Clone() *FlowPolicy

Clone creates a copy of the FlowPolicy

func (*FlowPolicy) EncodedActionString

func (f *FlowPolicy) EncodedActionString() string

EncodedActionString is used to encode observed action as well as action

func (*FlowPolicy) GetShortAndLongLogPrefix

func (f *FlowPolicy) GetShortAndLongLogPrefix() (string, string)

GetShortAndLongLogPrefix returns the short and long log prefix

func (*FlowPolicy) LogPrefix

func (f *FlowPolicy) LogPrefix(contextID string) string

LogPrefix is the prefix used in nf-log action. It must be less than

func (*FlowPolicy) LogPrefixAction

func (f *FlowPolicy) LogPrefixAction(contextID string, action string) string

LogPrefixAction is the prefix used in nf-log action with the given action. NOTE: If 0 or empty action is passed, the default is reject (6).

type HTTPRule

type HTTPRule struct {
	// URIs is a list of regular expressions that describe the URIs that
	// a service is exposing.
	URIs []string

	// Methods is a list of the allowed verbs for the given list of URIs.
	Methods []string

	// ClaimMatchingRules is a list of matching rules associated with this rule. Clients
	// must present a set of claims that will satisfy these rules. Each rule
	// is an AND clause. The list of expressions is an OR of the AND clauses.
	ClaimMatchingRules [][]string

	// Public indicates that this is a public API and anyone can access it.
	// No authorization will be performed on public APIs.
	Public bool

	// HookMethod indicates that this rule is not for generic proxying but
	// must first be processed by the hook with the corresponding name.
	HookMethod string
}

HTTPRule holds a rule for a particular HTTPService. The rule relates a set of URIs defined as regular expressions with associated verbs. The * VERB indicates all actions.

type IPRule

type IPRule struct {
	Addresses  []string
	Ports      []string
	Protocols  []string
	Extensions []string
	Policy     *FlowPolicy
}

IPRule holds IP rules to external services

type IPRuleList

type IPRuleList []IPRule

IPRuleList is a list of IP rules

func (IPRuleList) Copy added in v1.0.10

func (l IPRuleList) Copy() IPRuleList

Copy creates a clone of the IP rule list

type KeyValueOperator

type KeyValueOperator struct {
	Key       string
	Value     []string
	Operator  Operator
	ID        string
	PortRange *portspec.PortSpec
}

KeyValueOperator describes an individual matchinggit rule

type ObserveActionType

type ObserveActionType byte

ObserveActionType is the action that can be applied to a flow for an observation rule.

const (
	// ObserveNone specifies if any observation was made or not.
	ObserveNone ObserveActionType = 0x0
	// ObserveContinue is used to not take any action on packet and is deferred to
	// an actual rule with accept or deny action.
	ObserveContinue ObserveActionType = 0x1
	// ObserveApply is used to apply action to packets hitting this rule.
	ObserveApply ObserveActionType = 0x2
)

Observe actions are used in conjunction with action.

func (ObserveActionType) ObserveApply

func (f ObserveActionType) ObserveApply() bool

ObserveApply returns if the action of observation rule is allow.

func (ObserveActionType) ObserveContinue

func (f ObserveActionType) ObserveContinue() bool

ObserveContinue returns if the action of observation rule is continue.

func (ObserveActionType) Observed

func (f ObserveActionType) Observed() bool

Observed returns true if any observed action was found.

func (ObserveActionType) String

func (f ObserveActionType) String() string

type Operator

type Operator string

Operator defines the operation between your key and value.

type OptionsType added in v1.0.63

type OptionsType struct {
	// CgroupName is the name of the cgroup
	CgroupName string

	// CgroupMark is the tag of the cgroup
	CgroupMark string

	// UserID is the user ID if it exists
	UserID string

	// AutoPort option is set if auto port is enabled
	AutoPort bool

	// Services is the list of services of interest
	Services []common.Service

	// PolicyExtensions is policy resolution extensions
	PolicyExtensions interface{}

	// PortMap maps container port -> host ports.
	PortMap map[nat.Port][]string

	// ConvertedDockerPU is set when a docker PU is converted to LinuxProcess
	// in order to implement host network containers.
	ConvertedDockerPU bool
}

OptionsType is a set of options that can be passed with a policy request

type PUAction

type PUAction int

PUAction defines the action types that applies for a specific PU as a whole.

type PUInfo

type PUInfo struct {
	// ContextID is the ID of the container that the policy applies to
	ContextID string
	// Policy is an instantiation of the container policy
	Policy *PUPolicy
	// RunTime captures all data that are captured from the container
	Runtime *PURuntime
}

PUInfo captures all policy information related to a connection as well as runtime. It makes passing data around simpler.

func NewPUInfo

func NewPUInfo(contextID, namespace string, puType common.PUType) *PUInfo

NewPUInfo instantiates a new ContainerPolicy

func PUInfoFromPolicyAndRuntime

func PUInfoFromPolicyAndRuntime(contextID string, policyInfo *PUPolicy, runtimeInfo *PURuntime) *PUInfo

PUInfoFromPolicyAndRuntime generates a ContainerInfo Struct from an existing RuntimeInfo and PolicyInfo

type PUPolicy

type PUPolicy struct {

	// dnsACLs is the list of DNS names and the associated ports that the container is
	// allowed to talk to outside the data center
	DNSACLs DNSRuleList

	sync.Mutex
	// contains filtered or unexported fields
}

PUPolicy captures all policy information related ot the container

func NewPUPolicy

func NewPUPolicy(
	id string,
	namespace string,
	action PUAction,
	appACLs IPRuleList,
	netACLs IPRuleList,
	dnsACLs DNSRuleList,
	txtags TagSelectorList,
	rxtags TagSelectorList,
	identity *TagStore,
	annotations *TagStore,
	compressedTags *TagStore,
	ips ExtendedMap,
	servicesListeningPort int,
	dnsProxyPort int,
	exposedServices ApplicationServicesList,
	dependentServices ApplicationServicesList,
	scopes []string,
	enforcerType EnforcerType,
	appDefaultPolicyAction ActionType,
	netDefaultPolicyAction ActionType,
) *PUPolicy

NewPUPolicy generates a new ContainerPolicyInfo appACLs are the ACLs for packet coming from the Application/PU to the Network. netACLs are the ACLs for packet coming from the Network to the Application/PU.

func NewPUPolicyWithDefaults

func NewPUPolicyWithDefaults() *PUPolicy

NewPUPolicyWithDefaults sets up a PU policy with defaults

func (*PUPolicy) AddIdentityTag

func (p *PUPolicy) AddIdentityTag(k, v string)

AddIdentityTag adds a policy tag

func (*PUPolicy) AddReceiverRules

func (p *PUPolicy) AddReceiverRules(t TagSelector)

AddReceiverRules adds a receiver rule

func (*PUPolicy) AddTransmitterRules

func (p *PUPolicy) AddTransmitterRules(t TagSelector)

AddTransmitterRules adds a transmitter rule

func (*PUPolicy) Annotations

func (p *PUPolicy) Annotations() *TagStore

Annotations returns a copy of the annotations

func (*PUPolicy) AppDefaultPolicyAction

func (p *PUPolicy) AppDefaultPolicyAction() ActionType

AppDefaultPolicyAction returns default application action.

func (*PUPolicy) ApplicationACLs

func (p *PUPolicy) ApplicationACLs() IPRuleList

ApplicationACLs returns a copy of IPRuleList

func (*PUPolicy) Clone

func (p *PUPolicy) Clone() *PUPolicy

Clone returns a copy of the policy

func (*PUPolicy) CompressedTags

func (p *PUPolicy) CompressedTags() *TagStore

CompressedTags returns the compressed tags of the policy.

func (*PUPolicy) DNSNameACLs

func (p *PUPolicy) DNSNameACLs() DNSRuleList

DNSNameACLs returns a copy of DNSRuleList

func (*PUPolicy) DNSProxyPort

func (p *PUPolicy) DNSProxyPort() string

DNSProxyPort gets the dns proxy port

func (*PUPolicy) DependentServices

func (p *PUPolicy) DependentServices() ApplicationServicesList

DependentServices returns the external services.

func (*PUPolicy) EnforcerType

func (p *PUPolicy) EnforcerType() EnforcerType

EnforcerType returns the enforcer type of the policy.

func (*PUPolicy) ExposedServices

func (p *PUPolicy) ExposedServices() ApplicationServicesList

ExposedServices returns the exposed services

func (*PUPolicy) GetLogPrefixes

func (p *PUPolicy) GetLogPrefixes() map[string]string

GetLogPrefixes returns the current map of logging prefixes

func (*PUPolicy) IPAddresses

func (p *PUPolicy) IPAddresses() ExtendedMap

IPAddresses returns all the IP addresses for the processing unit

func (*PUPolicy) Identity

func (p *PUPolicy) Identity() *TagStore

Identity returns a copy of the Identity

func (*PUPolicy) LookupLogPrefix

func (p *PUPolicy) LookupLogPrefix(key string) (string, bool)

LookupLogPrefix returns the long version of the nlog prefix

func (*PUPolicy) ManagementID

func (p *PUPolicy) ManagementID() string

ManagementID returns the management ID

func (*PUPolicy) ManagementNamespace

func (p *PUPolicy) ManagementNamespace() string

ManagementNamespace returns the management Namespace

func (*PUPolicy) MergeLogPrefixes

func (p *PUPolicy) MergeLogPrefixes(prefixes map[string]string)

MergeLogPrefixes merges existing prefixes with the current logging prefixes

func (*PUPolicy) NetDefaultPolicyAction

func (p *PUPolicy) NetDefaultPolicyAction() ActionType

NetDefaultPolicyAction returns default network action.

func (*PUPolicy) NetworkACLs

func (p *PUPolicy) NetworkACLs() IPRuleList

NetworkACLs returns a copy of IPRuleList

func (*PUPolicy) ReceiverRules

func (p *PUPolicy) ReceiverRules() TagSelectorList

ReceiverRules returns a copy of TagSelectorList

func (*PUPolicy) Scopes

func (p *PUPolicy) Scopes() []string

Scopes returns the scopes of the policy.

func (*PUPolicy) ServiceCertificates

func (p *PUPolicy) ServiceCertificates() (string, string, string)

ServiceCertificates returns the service certificate.

func (*PUPolicy) ServicesListeningPort

func (p *PUPolicy) ServicesListeningPort() string

ServicesListeningPort returns the port that should be used by the proxies.

func (*PUPolicy) SetIPAddresses

func (p *PUPolicy) SetIPAddresses(l ExtendedMap)

SetIPAddresses sets the IP addresses for the processing unit

func (*PUPolicy) SetTriremeAction added in v1.0.10

func (p *PUPolicy) SetTriremeAction(action PUAction)

SetTriremeAction returns the TriremeAction

func (*PUPolicy) ToPublicPolicy

func (p *PUPolicy) ToPublicPolicy() *PUPolicyPublic

ToPublicPolicy converts the object to a marshallable object.

func (*PUPolicy) TransmitterRules

func (p *PUPolicy) TransmitterRules() TagSelectorList

TransmitterRules returns a copy of TagSelectorList

func (*PUPolicy) TriremeAction

func (p *PUPolicy) TriremeAction() PUAction

TriremeAction returns the TriremeAction

func (*PUPolicy) UpdateDNSNetworks

func (p *PUPolicy) UpdateDNSNetworks(networks DNSRuleList)

UpdateDNSNetworks updates the set of FQDN names allowed by the policy

func (*PUPolicy) UpdateServiceCertificates

func (p *PUPolicy) UpdateServiceCertificates(cert, key string)

UpdateServiceCertificates updates the certificate and private key of the policy

type PUPolicyPublic

type PUPolicyPublic struct {
	ManagementID           string                  `json:"managementID,omitempty"`
	ManagementNamespace    string                  `json:"managementNamespace,omitempty"`
	TriremeAction          PUAction                `json:"triremeAction,omitempty"`
	ApplicationACLs        IPRuleList              `json:"applicationACLs,omitempty"`
	NetworkACLs            IPRuleList              `json:"networkACLs,omitempty"`
	DNSACLs                DNSRuleList             `json:"dnsACLs,omitempty"`
	Identity               []string                `json:"identity,omitempty"`
	Annotations            []string                `json:"annotations,omitempty"`
	CompressedTags         []string                `json:"compressedtags,omitempty"`
	TransmitterRules       TagSelectorList         `json:"transmitterRules,omitempty"`
	ReceiverRules          TagSelectorList         `json:"receiverRules,omitempty"`
	IPs                    ExtendedMap             `json:"IPs,omitempty"`
	ServicesListeningPort  int                     `json:"servicesListeningPort,omitempty"`
	DNSProxyPort           int                     `json:"dnsProxyPort,omitempty"`
	ExposedServices        ApplicationServicesList `json:"exposedServices,omitempty"`
	DependentServices      ApplicationServicesList `json:"dependentServices,omitempty"`
	ServicesCertificate    string                  `json:"servicesCertificate,omitempty"`
	ServicesPrivateKey     string                  `json:"servicesPrivateKey,omitempty"`
	ServicesCA             string                  `json:"servicesCA,omitempty"`
	Scopes                 []string                `json:"scopes,omitempty"`
	EnforcerType           EnforcerType            `json:"enforcerTypes,omitempty"`
	AppDefaultPolicyAction ActionType              `json:"appDefaultPolicyAction,omitempty"`
	NetDefaultPolicyAction ActionType              `json:"netDefaultPolicyAction,omitempty"`
}

PUPolicyPublic captures all policy information related ot the processing unit in an object that can be marshalled and transmitted over the RPC interface.

func (*PUPolicyPublic) ToPrivatePolicy

func (p *PUPolicyPublic) ToPrivatePolicy(ctx context.Context, convert bool) (*PUPolicy, error)

ToPrivatePolicy converts the object to a private object.

type PURuntime

type PURuntime struct {

	// ServiceMeshType determines which serviceMesh is enabled ont he pod
	ServiceMeshType ServiceMesh

	sync.Mutex
	// contains filtered or unexported fields
}

PURuntime holds all data related to the status of the container run time

func NewPURuntime

func NewPURuntime(
	name string, pid int, nsPath string, tags *TagStore,
	ips ExtendedMap, puType common.PUType, serviceMeshType ServiceMesh, options *OptionsType) *PURuntime

NewPURuntime Generate a new RuntimeInfo

func NewPURuntimeWithDefaults

func NewPURuntimeWithDefaults() *PURuntime

NewPURuntimeWithDefaults sets up PURuntime with defaults

func (*PURuntime) Clone

func (r *PURuntime) Clone() *PURuntime

Clone returns a copy of the policy

func (*PURuntime) IPAddresses

func (r *PURuntime) IPAddresses() ExtendedMap

IPAddresses returns all the IP addresses for the processing unit

func (*PURuntime) MarshalJSON

func (r *PURuntime) MarshalJSON() ([]byte, error)

MarshalJSON Marshals this struct.

func (*PURuntime) NSPath added in v1.0.46

func (r *PURuntime) NSPath() string

NSPath returns the NSPath

func (*PURuntime) Name

func (r *PURuntime) Name() string

Name returns the PID

func (*PURuntime) Options

func (r *PURuntime) Options() OptionsType

Options returns tags for the processing unit

func (*PURuntime) PUType

func (r *PURuntime) PUType() common.PUType

PUType returns the PU type

func (*PURuntime) Pid

func (r *PURuntime) Pid() int

Pid returns the PID

func (*PURuntime) PortMap

func (r *PURuntime) PortMap() map[nat.Port][]string

PortMap returns the mapping from host port->container port

func (*PURuntime) SetIPAddresses

func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)

SetIPAddresses sets up all the IP addresses for the processing unit

func (*PURuntime) SetNSPath added in v1.0.46

func (r *PURuntime) SetNSPath(nsPath string)

SetNSPath sets the NSPath

func (*PURuntime) SetOptions

func (r *PURuntime) SetOptions(options OptionsType)

SetOptions sets the Options

func (*PURuntime) SetPUType added in v1.0.3

func (r *PURuntime) SetPUType(puType common.PUType)

SetPUType sets the PU Type

func (*PURuntime) SetPid

func (r *PURuntime) SetPid(pid int)

SetPid sets the PID

func (*PURuntime) SetServices

func (r *PURuntime) SetServices(services []common.Service)

SetServices updates the services of the runtime.

func (*PURuntime) SetTags

func (r *PURuntime) SetTags(t *TagStore)

SetTags returns tags for the processing unit

func (*PURuntime) Tag

func (r *PURuntime) Tag(key string) (string, bool)

Tag returns a specific tag for the processing unit

func (*PURuntime) Tags

func (r *PURuntime) Tags() *TagStore

Tags returns a copy of the tags for the processing unit

func (*PURuntime) UnmarshalJSON

func (r *PURuntime) UnmarshalJSON(param []byte) error

UnmarshalJSON Unmarshals this struct.

type PURuntimeJSON

type PURuntimeJSON struct {
	// PUType is the type of the PU
	PUType common.PUType
	// Pid holds the value of the first process of the container
	Pid int
	// NSPath is the path to the networking namespace for this PURuntime if applicable.
	NSPath string
	// Name is the name of the container
	Name string
	// IPAddress is the IP Address of the container
	IPAddresses ExtendedMap
	// Tags is a map of the metadata of the container
	Tags []string
	// Options is a map of the options of the container
	Options *OptionsType
}

PURuntimeJSON is a Json representation of PURuntime

type PingConfig

type PingConfig struct {
	Mode               gaia.ProcessingUnitRefreshPingModeValue
	ID                 string
	IP                 net.IP
	Port               uint16
	Iterations         int
	TargetTCPNetworks  bool
	ExcludedNetworks   bool
	ServiceCertificate string
	ServiceKey         string
	ServiceAddresses   map[string][]string
}

PingConfig holds the configuration to run ping.

func (*PingConfig) Error

func (p *PingConfig) Error() string

Error returns error as string from ping config.

type PingPayload

type PingPayload struct {
	PingID               string      `codec:",omitempty"`
	IterationID          int         `codec:",omitempty"`
	ApplicationListening bool        `codec:",omitempty"`
	NamespaceHash        string      `codec:",omitempty"`
	ServiceType          ServiceType `codec:",omitempty"`
}

PingPayload holds the payload carried on the wire.

type PortProtocolPolicy

type PortProtocolPolicy struct {
	Ports     []string
	Protocols []string
	Policy    *FlowPolicy
}

PortProtocolPolicy holds the assicated ports, protocols and policy

type Resolver

type Resolver interface {

	// HandlePUEvent is called by all monitors when a PU event is generated. The implementer
	// is responsible to update all components by explicitly adding a new PU.
	HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime RuntimeReader) error
}

A Resolver must be implemented by a policy engine that receives monitor events.

type RuntimeError

type RuntimeError struct {
	ContextID string
	Error     error
}

RuntimeError is an error detected by the TriremeController that has to be returned at a later time to the policy engine to take action.

type RuntimeReader

type RuntimeReader interface {

	// Pid returns the Pid of the Runtime.
	Pid() int

	// Name returns the process name of the Runtime.
	Name() string

	// NSPath returns the path to the namespace of the PU, if applicable
	NSPath() string

	// Tag returns  the value of the given tag.
	Tag(string) (string, bool)

	// Tags returns a copy of the list of the tags.
	Tags() *TagStore

	// Options returns a copy of the list of options.
	Options() OptionsType

	// IPAddresses returns a copy of all the IP addresses.
	IPAddresses() ExtendedMap

	// Returns the PUType for the PU
	PUType() common.PUType

	// SetServices sets the services of the runtime.
	SetServices(services []common.Service)

	// PortMap returns portmap (container port -> host port)
	PortMap() map[nat.Port][]string
}

A RuntimeReader allows to get the specific parameters stored in the Runtime

type ServiceMesh

type ServiceMesh int

ServiceMesh to determine pod is of which servicemesh type

const (
	// None means the pod have no servicemesh enabled on it
	None ServiceMesh = iota
	// Istio servicemesh enabled on the pod
	Istio
)

func (ServiceMesh) String

func (s ServiceMesh) String() string

type ServiceTLSType

type ServiceTLSType int

ServiceTLSType is the types of TLS used on public port

const (
	ServiceTLSTypeNone ServiceTLSType = iota
	ServiceTLSTypeAporeto
	ServiceTLSTypeCustom
)

Values of UserAuthorizationTypeValues

type ServiceType

type ServiceType int

ServiceType are the types of services that can are suported.

const (
	ServiceL3 ServiceType = iota
	ServiceHTTP
	ServiceTCP
	ServiceSecretsProxy
)

Values of ServiceType

type TagSelector

type TagSelector struct {
	Clause []KeyValueOperator
	Policy *FlowPolicy
}

TagSelector info describes a tag selector key Operator value

type TagSelectorList

type TagSelectorList []TagSelector

TagSelectorList defines a list of TagSelectors

func (TagSelectorList) Copy added in v1.0.10

Copy returns a copy of the TagSelectorList

type TagStore added in v1.0.10

type TagStore struct {
	// contains filtered or unexported fields
}

TagStore stores the tags - it allows duplicate key values

func NewTagStore added in v1.0.10

func NewTagStore() *TagStore

NewTagStore creates a new TagStore

func NewTagStoreFromMap added in v1.0.10

func NewTagStoreFromMap(tags map[string]string) *TagStore

NewTagStoreFromMap creates a tag store from an input map

func NewTagStoreFromSlice

func NewTagStoreFromSlice(tags []string) *TagStore

NewTagStoreFromSlice creates a new tag store from a slice.

func (*TagStore) Add

func (t *TagStore) Add(tag string)

Add appends tag to the tag store

func (*TagStore) AppendKeyValue added in v1.0.10

func (t *TagStore) AppendKeyValue(key, value string)

AppendKeyValue appends a key and value to the tag store

func (*TagStore) Copy added in v1.0.10

func (t *TagStore) Copy() *TagStore

Copy copies a TagStore

func (*TagStore) Get added in v1.0.10

func (t *TagStore) Get(key string) (string, bool)

Get does a lookup in the list of tags

func (*TagStore) GetKeys

func (t *TagStore) GetKeys() []string

GetKeys returns the unique keys for this tag store

func (*TagStore) GetSlice added in v1.0.10

func (t *TagStore) GetSlice() []string

GetSlice returns the tagstore as a slice

func (*TagStore) IsEmpty

func (t *TagStore) IsEmpty() bool

IsEmpty if no key value pairs exist.

func (*TagStore) MarshalJSON

func (t *TagStore) MarshalJSON() ([]byte, error)

MarshalJSON custom marshal tagstore to bytes

func (*TagStore) Merge

func (t *TagStore) Merge(m *TagStore)

Merge merges tags from m into native tag store.

func (*TagStore) MergeMap

func (t *TagStore) MergeMap(tags map[string]string)

MergeMap merges map of tags into the tag store.

func (*TagStore) MergeSlice

func (t *TagStore) MergeSlice(tags []string)

MergeSlice merges slice of tags into the tag store.

func (*TagStore) RemoveTagsByKeys

func (t *TagStore) RemoveTagsByKeys(keys []string)

RemoveTagsByKeys removes all tags by key

func (*TagStore) String

func (t *TagStore) String() string

String provides a string representation of tag store.

func (*TagStore) UnmarshalJSON

func (t *TagStore) UnmarshalJSON(b []byte) error

UnmarshalJSON custom unmarshal bytes to tagstore

type UserAuthorizationTypeValues

type UserAuthorizationTypeValues int

UserAuthorizationTypeValues is the types of user authorization methods that are supported.

const (
	UserAuthorizationNone UserAuthorizationTypeValues = iota
	UserAuthorizationMutualTLS
	UserAuthorizationJWT
	UserAuthorizationOIDC
)

Values of UserAuthorizationTypeValues

Directories

Path Synopsis
Package mockpolicy is a generated GoMock package.
Package mockpolicy is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL